Google Cloud
Security and Compliance

Independent Third-Party Certifications

Google’s customers and regulators expect independent verification of our
security, privacy, and compliance controls. In order to provide this, we
undergo several independent third-party audits on a regular basis. For each
one, an independent auditor examines our data centers, infrastructure, and
operations. Regular audits are conducted to certify our compliance with the
auditing standards ISO 27001, SOC 2 and SOC 3, as well as with the U.S. Federal
Information Security Modernization Act of 2014 (FISMA) for G Suite for
Government. When customers consider G Suite, these certifications can help them
confirm that the product suite meets their security, compliance and data
processing needs.

ISO 27001

ISO 27001 is one of the most widely recognized and accepted independent
security standards. Google has earned it for the systems, technology,
processes, and data centers that run G Suite. Our compliance with the
international standard was certified by Ernst & Young CertifyPoint, an ISO
certification body accredited by the Dutch Accreditation Council (a member of
the International Accreditation Forum, or IAF). Our ISO 27001 certificate and
scoping document are available in here.

ISO 27017

ISO 27017 is an international standard of practice for information security
controls based on ISO/IEC 27002 specifically for cloud services. Our compliance
with the international standard was certified by Ernst & Young
CertifyPoint, an ISO certification body accredited by the Dutch Accreditation
Council (a member of the International Accreditation Forum, or IAF). Our ISO
27017 certificate is available here.

ISO 27018

ISO 27018 is an international standard of practice for protection of personally
identifiable information (PII) in public clouds services. Our compliance with
the international standard was certified by Ernst & Young CertifyPoint, an
ISO certification body accredited by the Dutch Accreditation Council (a member
of the International Accreditation Forum, or IAF). Our ISO 27018 certificate is
available here.

SOC 2/3

In 2014, the American Institute of Certified Public Accountants (AICPA)
Assurance Services Executive Committee (ASEC) released the revised version of
the Trust Services Principles and Criteria (TSP). SOC (Service Organization
Controls) is an audit framework for non-privacy principles that include
security, availability, processing integrity, and confidentiality. Google has
both SOC 2 and SOC 3 reports. Our SOC 3 report is available for download without a nondisclosure agreement. The SOC 3 confirms our
compliance with the principles of security, availability, processing integrity
and confidentiality.

FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, is a
government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and
services. This approach uses a “do once, use many times” framework that saves
an estimated 30-40% of government costs, as well as both time and staff
required to conduct redundant agency security assessments. FedRAMP is the
result of close collaboration with cybersecurity and cloud experts from the
General Services Administration (GSA), National Institute of Standards and
Technology (NIST), Department of Homeland Security (DHS), Department of Defense
(DOD), National Security Agency (NSA), Office of Management and Budget (OMB),
the Federal Chief Information Officer (CIO) Council and its working groups, as
well as private industry. Google maintains a current authorization to operate (ATO) for G
Suite.